[infrastructure] Re: [development] Drupal 4.5 unsupported

Steven Peck speck at blkmtn.org
Sat May 27 20:52:42 UTC 2006

Thinking as a non-developer.....

I will start with one comment.  I am not a developer.  After over two
years of Drupal use, I still do not know php.  Despite this, I still
have figured out how to run TortoiseCVS and have local CVS copies of
4.6, 4.7 and the CVS branches of Drupal from the instructions in the

The policy for current and one previous version was established last
year and I, a non-developer was asked for my input on it.  It is
documented in the handbook on (http://drupal.org/node/27362) "Drupal
version numbers or which version you should use" and the last line
"Supported versions for security patches and availability for download
are the current stable release and one version previous."

4.5 is insecure.  It is not responsible to provide easy download of 4.5
Drupal core that exposes from the start people to known exploited
security vulnerabilities.  Microsoft has taken a lot of heat and a
serious publicity beating on security issue's and I do not wish us to
ever do so.  Drupal is known as a fairly secure application but we've
had some recent issue's which have generated a good response to build
and develop better conscious security practices.  Instituted a security
mail list and notifications.  Added signup recommendations to the Best
Pracitces section.

As a 'not developer' I rely on others to maintain secure code.  I am not
a vender I admit, but I directly maintain 14 sites and support 5 friends
who maintain 10-15 additional sites.  These sites are a mix of 4.6 and
4.7 latest releases.  I send them notes and help them with upgrades
because they are my friends but they are also my customers.  I learn
from them neat things I would not otherwise do with Drupal and theming
and they get a really neat CMS that their peers are using and help me in
areas where their skills are better then mine..

In my view, given the pain and suffering people who did not and do not
upgrade due to security issue's, it is ir-responsible to make such
vulnerable releases easily available.  It does an incredible disservice
to both the people still running insecure sites and the Drupal community
at large.  If I recall, part of the reason for this decision originally
was such a public exploit.  Spreadfirefox was running an old unpatched
codebase.  We had to deal with the fallout from that for several months
and we had provided many notices to many people.  This is the worst
posible publicity.

I understand people want to run discontinued products, but I also
understand people's desire to bad decisions and do not want to help
enable them.... In this case it is a very bad idea.  On a personal
level, some parts of a company I worked for refused to update their
systems to account for vulnerabilities.  One day, a virus came in.  It
cost the company a million dollars in people's time, support, and lost
business.  I went into work at 7am and ended up going home at 2:30am
while my co-workers stayed until 8am when I and a few others came back
to continue cleaning things up.  1,000 people could not work
productively for an entire day due to this and had to work the following
two saturdays to catch up and some systems took 2-3 more days to fully
secure and restore.  An expensive lesson.  One which resulted in
management taking the support teams recommendation that has a hard
timeline for testing and applying patches and a documented process for
exceptions and timelines that those exceptions must be resolved in.

It should not be convenient for people to get insecure product... Ever!
There should be an effort involved.  As an IT Support professional who
has had to help deal with and clean up the cost of breaches in security.
Salvaging data/systems and the lose of work hours and data that it
entails, I am 100% against exposing people to this risk easily.  I do
not wish to see more forum posts form people who have been hacked and
lost their data.  I wrote the start of the best practices to help people
deal with and avoid this and the number of people who have had problems
has been reduced in the forums significantly because we promote this

How bout this.  A front page announcement reminding people of this
policy?  I will try and get time to write a more step by step TortiseCVS
page on downloading branches of the CVS but my wife is pregnant and not
well so no guarantees on how soon with some other commitments.


> -----Original Message-----
> From: development-bounces at drupal.org 
> [mailto:development-bounces at drupal.org] On Behalf Of 
> blogdiva at culturekitchen.com
> Sent: Saturday, May 27, 2006 10:24 AM
> To: development at drupal.org
> Cc: blogdiva at culturekitchen.com
> Subject: Re: [infrastructure] Re: [development] Drupal 4.5 unsupported
> Ber , Morbus and all,
> Would you consider stepping back a moment and thinking as a non- 
> developer? This is the kind of decision that ought to fall on the  
> shoulders of a user-relations team and not developers.
> I worked at Colgate-Palmolive as the tech and communications writer  
> for their Consumer Affairs department. Colgate-Palmolive is the  
> largest manufacturer of toothpaste in the world, among many other  
> products.  They produce everything from dentistry pharmaceuticals to  
> dog food.
> For four years I wrote the manual on how to handle all sorts of  
> inquiries, complaints and suggestions coming from consumers. My job,  
> was to write human-readable instructions and communications guides  
> for our Consummer Affairs representatives. I was dead against 
> scripts  
> because they show a lack of training and understanding of the  
> products and consumers; and at that time my bosses agreed.
> Knowledge of all products, past and present, was a part of the  
> training for our reps.  I was instrumental in making that happen in  
> the least of techie ways given that this was BEFORE the internet was  
> used by major companies for doing business (1994). I mean, 
> the system  
> I was using was written in a pre-WYSIWYG DOS system.  So you can  
> imagine how "cutting edge" and scary for non-techie people that must  
> have been. My job was twofold : I had to help transition consumer-to- 
> company communications from an analog system of communications to  
> this new digital system while also transitioning and 
> streamlining the  
> internal communications all departments affected by consumers 
> (Legal,  
> Marketing, Sales, R&D).
> One of the biggest percentages of communications was on discontinued  
> products. People would always call or write about products the  
> company had stopped manufacturing for years. Loyal consumers sensing  
> the disappearance of the product would stock up on it. CP 
> spent a lot  
> of time and effort on these particular people. Why? Because if  
> consumers were bound to look for that product high and low it meant  
> they were loyal consumers. The challenge for the company was to  
> transition those consumers to newer products and keep them as 
> word-of- 
> mouth evangelizers.
> One of the most frustrating aspects of working with Drupal is the  
> lack of forethought on word-of-mouth evangelizing and user loyalty  
> that goes in the development, implementation and the 
> dissemination of  
> the product --and yes, I am calling Drupal a product because that is  
> what it is.
> Given that you have an open source product it is a mystery to me why  
> you have decided to disappear from your site the history of the  
> product's development. This is a huge loss for future developers who  
> come to the site looking to learn more about the product.  If 
> it were  
> up to me, I'd curate a whole section on the development of Drupal.  
> I'd keep each release for historical documentation and, if possible,  
> annotate it with some commentary from not just from developer but  
> particularly from loyal users of Drupal.
> A product's success does not lie just on it's design or development.  
> A product's success lies on it's word-of-mouth reputation among  
> users. Word-of-mouth is what makes or breaks products and it's why  
> most of the shittiest products succeed. Toys like "Pet Rock" to  
> celebrities like "Paris Hilton" make it all by the grace of their  
> word-of-mouth god. It's not fair but it's what happens in the real  
> world.
> Back to Ber and Morbuss and most of the developers of Drupal :  I  
> just think that as developers, you're way of thinking works 
> best with  
> code. I honestly do not know what it is about this group of  
> developers but you definitely think and work differently than  
> developers in the Movabletype, TextPattern and WordPress development  
> groups. For me, as someone who has been 'looking from the outside  
> in', in all these groups, it's really interesting to see how  
> differently coders work from one product to another ---and it proves  
> software development is a very personal and subjective process; even  
> when done by a group of people.
> You have a good product and a growing base of non-developers 
> eager to  
> use it. Open archival access to your past success needs to be an  
> important part of how you engage the people who use Drupal. 
> It should  
> be integral to your documentation, which gets better with each  
> passing day.
> You still need people who are part of core who deal solely with  
> community/user/consumer issues and think about these things. 
> You need  
> more than one person so that developers don't get the opportunity to  
> gang against him/her (as in the Dilbert effect). Which is why, these  
> people need to be regarded as part of the core group of developers.
> Yes, I do have to agree with the common belief that it's rare 
> to find  
> developers who understand the nuances of community/consumer affairs.  
> They are out there, and you do have some right here within your  
> ranks. But as a development groups go, you have to decide that  
> dealing with the community is just as important as dealing with the  
> code. And more importantly, you need decide on a process on 
> how to go  
> about that, even if it means developers won't be part of that  
> decision making.
> Which is why I insist : Give away those decisions to people who can  
> do that person-to-person heavy lifting. It will make Drupal.org an  
> infinitely better experience.
> Best,
> l i z a sabater
> www.lizasabater.com
> AIM - cultkitdiva
> SKYPE - lizasabater
> TEL - 646.552.7365
> On  27.May.2006, at 11:36, Khalid B wrote:
> > On 5/27/06, Morbus Iff <morbus at disobey.com> wrote:
> >> > Why do you need to remove this stuff? There are those 
> who like I  
> >> have
> >>
> >> Leaving it up is, to some, an admission of *support*.
> >
> > Lisa
> >
> > Also, remember  that  4.5 is not patched for the latest exploits,  
> > so it is
> > very  dangerous to continue to run with that, regardless if 
>  it  is  
> > supported
> > or  not  ...
> >

More information about the development mailing list